This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back

Let’s imagine a worst case situation for home routers. It would have to start with a port unintentionally opened to the internet, ideally in a popular brand, like Netgear. For fun, let’s say it’s actually a third-party kernel module, that is in multiple router brands. This module would then need a trivial vulnerability, say an integer overflow on the buffer size for incoming packets. This flaw would mean that the incoming data would write past the end of the buffer, overwriting whatever kernel data is there. So far, this exactly describes the NetUSB flaw, CVE-2021-45608.

Because red teams don’t get their every wish, there is a catch. While the overflow is exceptionally easy to pull off, there isn’t much wiggle room on where the data gets written. There’s no remote code execution Proof of Concept (PoC) yet, and [Max Van Amerongen], who discovered the flaw, says it would be difficult but probably not impossible to pull off. All of this said, it’s a good idea to check your router for open ports, particularly non-standard port numbers. If you have a USB port on your router, check for updates.

Windows HTTP.sys Problem

A serious problem has been announced in Windows Server 2019 and Windows 10, with some versions vulnerable in their default configurations. The problem is in how Windows handles HTTP Trailer packets, which contain extra information at the end of normal HTTP transfers. There is a PoC available that demonstrates a crash. It appears that an additional information leak vulnerability would have to be combined with this one to produce a true exploit. This seems to be a different take on CVE-2021-31166, essentially exploiting the same weakness, and working around the incomplete fix. This issue was fixed in the January patch set for Windows, so make sure you’re covered.

The List of Shame

The US Cybersecurity & Infrastructure Security Agency, CISA, maintains a running list of vulnerabilities that have been found in use in-the-wild. That’s an interesting list to keep tabs on, as there are some surprises there, like CVE-2013-3900​. That one really is a bug from 2013 that is actively being used in a malware campaign. It’s a flaw in Microsoft’s file signing routines that allows extra code to be injected into a signed dll without voiding the signature. While a fix was released back in 2013, it was later changed to an optional fix, due to impacts to legitimate software.

Jenkins Security Advisory

The Jenkins project has published a list of vulnerabilities, and patches for most of them. Among the unpatched vulnerabilities, one stands out as a potential problem. CVE-2022-23118 is a flaw in the Debian Package Builder Plugin that allows an attacker to run arbitrary git commands on the underlying host. It’s not clear exactly how much control over the Jenkins process is needed to take advantage of this, but one could imagine a rogue Debian maintainer using this to compromise the Debian build system.

New Tools To Defeat Lockout

[TheTechromancer], researcher at Black Lantern Security, misses the good old days of password spraying. For the uninitiated, this refers to taking a list of known accounts and a handful of bad passwords, like Password1!, and trying each bad password for each account. Just like the birthday paradox, you’ll get far more matches than expected. This success has been its own undoing, being one of the drivers in the push for multi-factor authentication. The other defensive tool interfering with password spraying is what [TheTechromancer] calls Smart Lockout — essentially an authorization system noticing too many requests from a single IP, and blocking that IP for a while.

What I’m trying to say is that we’re frustrated. And when hackers are frustrated, they write code.

This leads to the new open source tools, TREVORproxy and TREVORspray. TREVORproxy is a tool to spread those requests out over multiple sources, and it does that with two working modes. The first is SSH tunneling. Rent a few Amazon AWS hosts with public IPs, and set up your SSH credentials to each host. Feed that into TREVORproxy, and it load balances the attack between those hosts. The other technique requires IPv6 support by the target service. Rent a service that can give you an IPv6 subnet, and run TREVORproxy there, informing it about the subnet. It will balance requests across the entire subnet’s IP space. Grab a /64 IPv6 subnet, and you have 18 quintillion addresses to spray from.

Designed to work along-side is TREVORspray, a password sprayer optimized for parallelism, defeating smart lockout, and MFA bypasses where possible. It also includes a --recon mode, identifying the interesting logons associated with a domain name. The standard warnings apply, these are powerful tools, and only to be used with permission, or against targets with bug bounty programs that authorize such actions.

Ten Notches on NCC Group’s Security Gun

While definitely a White Hat security organization, NCC Group runs more than its fair share of red-team exercises, and has shared 10 of its wins against development pipelines. These stories range from the trivial, like a confusing Jenkins plugin configuration that allowed anyone to access the admin UI, to another where crashing a development pipeline exposed development variables, including account credentials. This is one of the good kind of top ten lists on the internet, take a minute to read through it.

You Database Is Leaking

If you are running Safari, that is. Researchers at FingerprintJS discovered an issue with Safari’s IndexedDB implementation, finding that the list of database names was pollable from any browser tab. This doesn’t sound like a problem, til you realize that when a site generates a database, it gives it a unique name that identifies the site, and maybe even the user. Head to safarileaks.com, particularly if you’re running the Safari browser, and let us know what you find. As of the time of writing, this issue has been fixed in release candidates from Apple, but not rolled out to everyone.

Bits and Bytes

Detecting malware on a machine, just by pointing an antenna at it, and crunching the EMF stats with a Raspberry Pi? It sounded too good to be true, but Tom bit the bullet and dug into the story. His conclusion? I won’t spoil it for you, check out his piece!

It’s another tale from Project Zero, this time about Zoom. There was quite a process getting a toehold into Zoom’s internal data structure, but a five year old Android package was unintentionally released with debugging symbols. While this one didn’t lead to a full exploit chain, there were still vulnerabilities found and fixed.

SSH is a superpower. Nothing feels quite like living in the matrix like SSHing into a machine many miles away, redirecting ports, and making a connection dance to my tune, jumping through the hops. If you want to brush up your SSH game, note that The Cyber Plumber’s Handbook is now available for free on GitHub.

Both Oracle and Cisco have announced multiple security issues, with Oracle’s advisory containing a whopping 497 issues, and Cisco’s topped by a bug ranked 9.6. That one is an unauthenticated privilege escalation in the Cisco Unified Contact Center Management Portal, allowing anyone admin access to the portal. Ouch.

2 thoughts on “This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back

  1. Mozilla DoSing their own browser didn’t make it here. Understandable as not that many websites reported about it, but it affected Firefox users for an hour or so if you had telemetry on… The bug was in http3 code and disabling that made things work again.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.